All systems containing customer information should undergo vulnerability scans at least once a month. Any critical or high issues should be documented in accordance with your change management policy and remediated in a timely manner.
We recommend performing static and dynamic application security testing on in-scope production code. Below are recommendations based on the tools you use:
- If using GitHub, you can utilize the built-in and open source tool, CodeQL, to query your code and find vulnerabilities
- If using Gitlab, you can utilize the CI/CD suite, performing various types of scans including SAST, DAST, API fuzzing, etc.
- If using CircleCI, there are several ways to integrate leading DevOps security tools to conduct code scans
There are several other open source tools. Check our our recommendations for open-source DAST or SAST tools here.